Fix guide · low · robots_txt_reveals_paths

robots.txt reveals interesting paths

Why it matters

robots.txt is the first file an attacker reads — it tells them where you don't want crawlers to look. "Disallow: /admin/" is a roadmap.

How to fix it

robots.txt only stops well-behaved crawlers. It is not access control.

For paths that shouldn't be public, gate them with auth — don't rely on Disallow.

For paths that are sensitive but public, put them behind auth and don't list them in robots.txt at all. The Disallow doesn't actually hide them; it just makes them more discoverable.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.